How Evaluate Cloud-Based Condition Monitoring Security


Cloud-based condition monitoring technology can be your front line of defense against unscheduled downtime. Secure, cloud-based predictive maintenance systems have many advantages compared to on-premises solutions, including access from anywhere, advanced analytics, configurable dashboards, and scalability, all without the need to buy and maintain local servers. They are significantly less expensive than the local approach. Best of all, they enable off-site service and reliability experts to easily access machine data.

The benefits are numerous but approval for installation will need to go through your IT department, and they are going to have concerns about security. To succeed, you need to understand key security concepts so that you can evaluate the protections provided by candidate condition-monitoring systems. With this information, you can explain your chosen solution to your IT department and justify approval when you know that security is good. The 3 major concepts to looks are:

1. Secure Architecture 
2. Secure Access 
3. Secure Data Transfer

We live in a world in which you can apply for a mortgage from your mobile phone or transfer thousands of dollars in the blink of an eye. The question is not whether techniques for establishing secure connections exist, it’s whether the devices in question apply those techniques. Below is a checklist of what to look for:

1. Secure architecture

Outbound traffic only

One of the primary objections to connecting assets to the outside world is that they could provide access to hackers. Certainly, no one likes the idea of a malicious attacker gaining control of a manufacturing line. The key point to keep in mind is that a good online predictive maintenance system is restricted to only outbound traffic. No one is allowed to send commands to the on-premises equipment. Confirm that your cloud-based condition monitoring solution takes this approach and make sure that your IT department is aware of it.

Isolated from control network

To reduce risk of intrusion into critical control data, the network used by the condition-monitoring equipment should be isolated from the control network. Again, the emphasis is on viewing data, not on sending code that could potentially change the operation or even the function of assets. While full network access can be considered, isolating a device to its own network without access to other systems will fast-track the approvals process. It is difficult to overstate the importance of passing this information to your IT department. This is probably their single biggest concern.

Limited open ports

Another way to minimize attack vectors is to restrict ports to limit the number of ports. The vendor should be able to list the exact ports cleared for use. There should also be an option for white listing the domains accessed by the equipment. This approach ensures that the system is only accessing a known safe side and not one that could potentially install malware or mount a phishing attack. These sites should be secure. Look for URLs beginning with https:\\

2. Secure access

Secure login for both device and cloud

The system needs to be built around secure logins for both accessing device and cloud portal. A cloud consists of physical servers divided into multiple virtual machines, or logical partitions (LPARs). Multiple users within an organization will typically log into the same LPAR. In a public cloud, multiple users from different organizations may log into the same physical server, although in distinct LPARs. As a result, the cloud model presents an opportunity for users to hack one another’s passwords. This is why cloud deployments make IT departments nervous. A cloud-based condition monitoring system should use encrypted passwords to prevent unauthorized users from hacking passwords to gain access.

Protecting cloud access alone is not enough. The condition-monitoring devices include microprocessors and memory. Devices are connected to the Internet, which creates an opportunity for hackers to modify device firmware or install malware that can compromise device or network security. To eliminate these vulnerabilities, the device itself needs to be password protected.

Role-based access

Operating on a need-to-know basis is a fundamental security technique. Device access should be limited to individuals with a demonstrated need for these capabilities. Similarly, the data and functionalities available through the web portal should be ranked by sensitivity. Users should be assigned credentials that limit their access to only the information they need to execute their tasks. The system administrator should be able to easily adjust permissioning on a real-time basis in the event that a user takes on new tasks.

3. Secure data transfer

Encrypted data transfer

Even if the data only involves asset health, it still needs to be encrypted. Any given system may also process and retain personally identifiable information (PII) such as names and emails, and this information should also be secured. Look for systems that encrypt data in motion as well as data at rest.

Secure connection

A cloud-based monitoring system should use the transport-layer security (TSL) cryptographic protocol for data transfer. This IETF standard is considered state of the art for secure communications. Look for solutions based around TSL 1.2, which is the latest version. The predictive maintenance system should have provisions for secure firmware updates as required. Avoid any solutions still using secure socket layer (SSL), as this protocol is outmoded and has known vulnerabilities.

Protected firmware

Smart devices need configuration and regular updates to firmware. Ensure that steps have been taken to perform these tasks securely. Device-level configuration screens should be password protected. Role-based access should be used to restrict these screens to staff members with a need to use them.

Firmware can be a key vulnerability for networked components. The code needs regular updates to apply security patches and enhance functionality. At the same time, firmware updates require writing to the device, which always presents an opportunity for attack. Remote management of these devices should be performed via password-protected access and secure protocols. Look for equipment with self checking capabilities and Trusted Boot functionality to prevent unauthorized changes.

Intrusion monitoring

Because public clouds host multiple LPARs on a single physical machine, there is always the possibility of hackers with authorized privileges for one partition gaining access to another. These are known as side-channel attacks. For major public cloud providers such as Amazon Web Services (AWS) and Microsoft Azure, security is central to the business model. Their clouds are architected to protect against side-channel attacks. Partitions are monitored for unauthorized intrusions. These public clouds are often more secure than on-premises networks.

At a device level, the condition-monitoring systems should maintain a record of access by any user to provide traceability and send alerts in the event of intrusion.

Benefits of cloud-based condition monitoring systems to IT departments

As digital assets become increasingly important for organizations of all types, the job of the IT department only grows bigger and more complex. System administrators may be reluctant to approve a cloud-based condition-monitoring solution because they are concerned it means more assets to manage. Fortunately, cloud-based solutions eliminate that concern. Hardware and software management is handled by the cloud service. The hardware platform is instantly scalable, typically by automated tools, and software and firmware are always up-to-date. Learn more about how to get started with predictive maintenance here

In terms of the monitoring device itself, configuration typically takes place over the web. Quality solutions also offer the option for easy customization of processes, whether that involves the appearance of the dashboard or the types of algorithms used for analysis. Your organization shouldn’t need a developer to help you extract the data you need and present it in the most convenient fashion.

A properly designed cloud-based condition-monitoring system lets you safely track machine health to improve productivity. To streamline the approvals process, start by researching available solutions to find out how they address each of the security points mentioned above. Armed with that information, you can discuss the protections in detail with your IT department. Ask your vendor for more details and for assistance if your IT department pushes back.

Additional Resources:

Learn how to develop a predicate maintenance program by starting small and scaling here

Learn more about vibration analysis best practices and continuous vibration monitoring here

Learn how to choose the best vibration sensors for rotating equipment